1 /*******************************************************************************
\r
2 * ============LICENSE_START====================================================
\r
4 * * ===========================================================================
\r
5 * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
\r
6 * * ===========================================================================
\r
7 * * Licensed under the Apache License, Version 2.0 (the "License");
\r
8 * * you may not use this file except in compliance with the License.
\r
9 * * You may obtain a copy of the License at
\r
11 * * http://www.apache.org/licenses/LICENSE-2.0
\r
13 * * Unless required by applicable law or agreed to in writing, software
\r
14 * * distributed under the License is distributed on an "AS IS" BASIS,
\r
15 * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
\r
16 * * See the License for the specific language governing permissions and
\r
17 * * limitations under the License.
\r
18 * * ============LICENSE_END====================================================
\r
20 * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
\r
22 ******************************************************************************/
\r
23 package org.onap.aaf.cadi;
\r
25 import java.security.Principal;
\r
26 import java.util.ArrayList;
\r
27 import java.util.List;
\r
29 import javax.servlet.http.HttpServletRequest;
\r
30 import javax.servlet.http.HttpServletRequestWrapper;
\r
32 import org.onap.aaf.cadi.Access.Level;
\r
33 import org.onap.aaf.cadi.filter.NullPermConverter;
\r
34 import org.onap.aaf.cadi.filter.PermConverter;
\r
35 import org.onap.aaf.cadi.lur.EpiLur;
\r
36 import org.onap.aaf.cadi.taf.TafResp;
\r
41 * Inherit the HttpServletRequestWrapper, which calls methods of delegate it's created with, but
\r
42 * overload the key security mechanisms with CADI mechanisms
\r
44 * This works with mechanisms working strictly with HttpServletRequest (i.e. Servlet Filters)
\r
46 * Specialty cases, i.e. Tomcat, which for their containers utilize their own mechanisms and Wrappers, you may
\r
47 * need something similar. See AppServer specific code (i.e. tomcat) for these.
\r
51 public class CadiWrap extends HttpServletRequestWrapper implements HttpServletRequest, BasicCred {
\r
52 private Principal principal;
\r
54 private String user; // used to set user/pass from brain-dead protocols like WSSE
\r
55 private byte[] password;
\r
56 private PermConverter pconv;
\r
57 private Access access;
\r
60 * Standard Wrapper constructor for Delegate pattern
\r
63 public CadiWrap(HttpServletRequest request, TafResp tafResp, Lur lur) {
\r
65 principal = tafResp.getPrincipal();
\r
66 access = tafResp.getAccess();
\r
68 pconv = NullPermConverter.singleton();
\r
72 * Standard Wrapper constructor for Delegate pattern, with PermConverter
\r
75 public CadiWrap(HttpServletRequest request, TafResp tafResp, Lur lur, PermConverter pc) {
\r
77 principal = tafResp.getPrincipal();
\r
78 access = tafResp.getAccess();
\r
85 * Part of the HTTP Security API. Declare the User associated with this HTTP Transaction.
\r
86 * CADI does this by reporting the name associated with the Principal obtained, if any.
\r
89 public String getRemoteUser() {
\r
90 return principal==null?null:principal.getName();
\r
94 * Part of the HTTP Security API. Return the User Principal associated with this HTTP
\r
98 public Principal getUserPrincipal() {
\r
103 * This is the key API call for AUTHZ in J2EE. Given a Role (String passed in), is the user
\r
104 * associated with this HTTP Transaction allowed to function in this Role?
\r
106 * For CADI, we pass the responsibility for determining this to the "LUR", which may be
\r
107 * determined by the Enterprise.
\r
109 * Note: Role check is also done in "CadiRealm" in certain cases...
\r
114 public boolean isUserInRole(String perm) {
\r
115 return perm==null?false:checkPerm(access,"(HttpRequest)",principal,pconv,lur,perm);
\r
118 public static boolean checkPerm(Access access, String caller, Principal principal, PermConverter pconv, Lur lur, String perm) {
\r
119 if(principal== null) {
\r
120 access.log(Level.AUDIT,caller, "No Principal in Transaction");
\r
123 perm = pconv.convert(perm);
\r
124 if(lur.fish(principal,lur.createPerm(perm))) {
\r
125 access.log(Level.DEBUG,caller, principal.getName(), "has", perm);
\r
128 access.log(Level.DEBUG,caller, principal.getName(), "does not have", perm);
\r
136 * CADI Function (Non J2EE standard). GetPermissions will read the Permissions from AAF (if configured) and Roles from Local Lur, etc
\r
137 * as implemented with lur.fishAll
\r
139 * To utilize, the Request must be a "CadiWrap" object, then call.
\r
141 public List<Permission> getPermissions(Principal p) {
\r
142 List<Permission> perms = new ArrayList<Permission>();
\r
143 lur.fishAll(p, perms);
\r
147 * Allow setting of tafResp and lur after construction
\r
149 * This can happen if the CadiWrap is constructed in a Valve other than CadiValve
\r
151 public void set(TafResp tafResp, Lur lur) {
\r
152 principal = tafResp.getPrincipal();
\r
153 access = tafResp.getAccess();
\r
157 public String getUser() {
\r
158 if(user==null && principal!=null) {
\r
159 user = principal.getName();
\r
164 public byte[] getCred() {
\r
168 public void setUser(String user) {
\r
172 public void setCred(byte[] passwd) {
\r
176 public CadiWrap setPermConverter(PermConverter pc) {
\r
182 public void invalidate(String id) {
\r
183 if(lur instanceof EpiLur) {
\r
184 ((EpiLur)lur).remove(id);
\r
185 } else if(lur instanceof CachingLur) {
\r
186 ((CachingLur<?>)lur).remove(id);
\r
190 public Lur getLur() {
\r